Comments on Webcam Legal SignatureTypePad2010-10-18T20:38:45ZBenjamin Wrighthttps://legal-beagle.typepad.com/wrights_legal_beagle/tag:typepad.com,2003:https://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication/comments/atom.xml/Benjamin Wright commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340148c7452ddc970c2011-01-03T15:24:36Z2011-01-03T15:53:19ZBenjamin Wrighthttp://profile.typepad.com/1217907132s32400To "Electronic contracts": You say, "the signature also has to be verified." You and I have different visions for legal...<p>To &quot;Electronic contracts&quot;: You say, &quot;the signature also has to be verified.&quot; You and I have different visions for legal signatures. You seem to believe that a signature must be verified the way that a PIN or password is verified. That approach to verification inevitably involves some form of pre-registration with an authority. In your name, you linked to http://www.docusign.com, so I assume you are advocating the Docusign approach. I take it that under the approach you advocate, the signer must, before signing go through some kind of set-up process that involves registration of email or a password with an authority.</p>
<p>However, your approach to signatures (as you describe it here) seems clumsy and bureaucratic, a deterrent to many potential signers. Your approach is not like handwritten signatures on paper or fax. Your approach does not allow for spontaneous signatures because it requires pre-registration. Furthermore, your approach relies upon some kind of a registration authority, which is costly and problematic.</p>
<p>The webcam signature I offer here is like a handwritten signature on paper. It involves no pre-registration and no registration authority. No one has to pay the costs of the registration authority. The signer can sign spontaneously. Like a handwritten signature, the webcam signature normally is not &quot;verified,&quot; except (1) the relying party can informally look at the webcam signature and confirm generally that it looks and sounds like the signer, and (2) in the event of a serious dispute about authenticity (which is very rare!), an extensive forensic analysis can be undertaken, looking into topics like (a) the meta-data associated with the email to which the webcam video was attached, (b) whether the video was altered or fabricated, and (c) evidence from the contextual relationship between the parties.</p>
<p>Back to you, &quot;Electronic contracts.&quot; What do you think?</p>
<p>--Ben</p>Electronic contracts commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340148c742d349970c2011-01-03T07:04:49Z2011-01-06T23:50:06ZElectronic contractshttp://www.docusign.com/Thanks for sharing! However, the signature also has to be verified. After verifying by email or password, the signature is...<p>Thanks for sharing! However, the signature also has to be verified. After verifying by email or password, the signature is then associated with its user. One way for users to verify their own electronic signature is to privately activate it.</p>Benjamin Wright commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340147e01f7954970b2010-11-24T17:04:19Z2010-12-18T15:54:02ZBenjamin Wrighthttp://www.google.com/sidewiki/entry/benwright214/id/6YssMU4t8GXD3Dxn9bp8mz1w27EFootnote. The Zoho example to which Toby refers is introduced here: http://computer-forensics.sans.org/blog/2010/10/22/digital-forensics-investigators-write-report-store-digital-evidence<p>Footnote. The Zoho example to which Toby refers is introduced here: http://computer-forensics.sans.org/blog/2010/10/22/digital-forensics-investigators-write-report-store-digital-evidence</p>Benjamin Wright commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340134897bea11970c2010-11-24T16:59:21Z2010-12-18T15:54:02ZBenjamin Wrighthttp://www.google.com/sidewiki/entry/benwright214/id/6YssMU4t8GXD3Dxn9bp8mz1w27EToby: I appreciate your comments, and I'd like to know more about them. I am grateful that you have really...<p>Toby:</p>
<p>I appreciate your comments, and I&#39;d like to know more about them. I am grateful that you have really thought about my ideas and you have taken the time to state thoughtful arguments. What do you think about these rebuttals:</p>
<p>Businesses, governments and professionals have been using email for years to transact all kinds of important business and to exchange all kinds of semi-sensitive information. Should they stop doing that?</p>
<p>Email can be encrypted, in many different ways and to varying degrees of security and varying degrees of convenience/inconvenience. The ideas I state in the article above do not rule out encryption.</p>
<p>Email -- without digital signatures -- is used as evidence in court on a routine basis. Email is authenticated for legal purposes without digital signatures all the time. There are more judicial cases in which email is accepted as evidence than you or I will ever be able to read.</p>
<p>If you want to add a digital signature to email, you can do that (just as you can add a notary stamp to an ink-signed sheet of paper if you want to do that).</p>
<p>I&#39;d enjoy hearing more about what you think a &quot;secure container&quot; is. If the secure container boils down to the investigator having a private key that he must protect with strong security, then a lot rides on that private key and the security around it. What happens if the investigator dies (or quits his job) after he performs his work and he locks the evidence with his key? How will someone else be able to find, unlock and authenticate the evidence? If all of this these problems are solved by key escrow, then the escrow becomes a big institutional (and possibly expensive) issue. Further, I&#39;d like to know how practical key escrow is for investigators and how well it is implemented in practice.</p>
<p>Regarding reliance on corporations: 1. Happens all the time for purposes of important and sensitive transactions. 2. Backup copies of records can be make to places like hard drives and storage facilities controlled by alternative corporations. 3. The &quot;certificate&quot; to which you refer depends on a corporation (i.e., certification authority) that can do a bad job or go out of business.</p>
<p>As we evaluate these issues, please remember that the world of investigations is large and diverse. Not ever investigation is as sensitive as a criminal investigation of a mafia boss. Some investigations are just (for example) internal reviews of human resources issues inside a corporation.</p>
<p>--Ben</p>Toby commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340147e01c9604970b2010-11-24T06:26:45Z2010-12-18T15:54:02ZTobyPleeeeease don't use email for that kind of stuff. You REALLY nead a secure container - the communication needs to...<p>Pleeeeease don&#39;t use email for that kind of stuff. You REALLY nead a secure container - the communication needs to be encrypted.</p>
<p>Or would you send all this info on a Post card, or let it be hand delivered by 5-10 strangers?</p>
<p>And for the signature - laughable as well. Put a Certificate in there - digital signature.</p>
<p>Just think security first, and don&#39;t brainstorm like i wanna use this technology and that... blah, and at the end i&#39;m gonna add some &#39;fake&#39; security. </p>
<p>Also think that each product you use like zoho, is a corporation, with corporate interests... They CAN change whatever they want - you CANNOT trust any Corp(this of course includes the Email providers, cell service providers, internet providers, hosters...). But all these trust problems you can get around with a secure container.</p>Benjamin Wright commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340133f57c8f98970b2010-11-01T00:34:35Z2010-11-09T14:01:39ZBenjamin Wrighthttp://hack-igations.blogspot.com/2008/04/text-message-investigations.htmlMatt: Thank you for your comment. The trickery that you suggest is subject to forensic analysis. Email systems like Lotus...<p>Matt: Thank you for your comment.</p>
<p>The trickery that you suggest is subject to forensic analysis.</p>
<p>Email systems like Lotus Notes will keep an audit trail (meta data) showing whether the attachment was changed and when. If a party tries deceitfully to alter a contract by replacing the original attachment with a different one, and then to claim in court that the replacement is the original, he is buying himself a trip to jail (for fraud/perjury). See Munshani v. Signal Lake www.signallake.com/resources/email-forensics-library</p>
<p>--Ben</p>Matt Carlson commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340133f5759ebd970b2010-10-30T18:38:35Z2010-11-09T14:01:39ZMatt CarlsonBen, Interesting idea. I'm a little unclear on something. If I'm negotiating an NDA, there might be several versions that...<p>Ben,</p>
<p>Interesting idea. I&#39;m a little unclear on something. If I&#39;m negotiating an NDA, there might be several versions that are exchanged. If I understand correctly, you&#39;re proposing that in order to agree to it, I attach the NDA and a video of me stating my intention of being bound by the NDA to an email, right?</p>
<p>So what&#39;s to prevent the recipient from removing the NDA that I agreed to and attaching a different version? Lotus Notes allows this fairly easily. </p>
<p>I&#39;ll need a higher level of assurance before I can see using this for anything but the most trivial contracts. I agree with Edward that some type of notary might be useful in your protocol. </p>
<p>Matt</p>
<p>Thanks,</p>
<p>Matt</p>Benjamin Wright commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340133f52fa9ba970b2010-10-19T13:47:04Z2010-11-09T14:01:40ZBenjamin Wrighthttp://www.buscalegis.ufsc.br/arquivos/lp9611041.pdfEdward: Thanks for the comment. I agree that video can be forged. Handwritten signatures can be forged too. However, successful,...<p>Edward:</p>
<p>Thanks for the comment. I agree that video can be forged. Handwritten signatures can be forged too.</p>
<p>However, successful, undetectable forgery of the whole package of evidence is not easy. In this example, the package of evidence that must be forged (with no trace of mistake) includes -- video, audio, email content, email audit trails, all relevant records of the email, and all of the time stamps. Plus, all of the forged facts must match up with the actual facts of the relationship between Ben Wright and Acme Corp. For example, there should be other timestamped emails between Ben and Acme discussing the non-disclosure agreement and the context of the agreement. The forgery must be consistent with those other emails.</p>
<p>In practice, making all of this match up places a big burden on the forger. If the forger makes even one mistake, he loses and he can go to jail for fraud.</p>
<p>--Ben </p>Edward Vielmetti commented on 'Webcam Legal Signature'tag:typepad.com,2003:6a00e553eadb2788340134884c98fc970c2010-10-19T01:31:29Z2010-11-09T14:01:40ZEdward Vielmettihttp://vielmetti.typepad.comBen, a couple of thoughts. Video is forgeable, just like anything else. If you want to make this ever so...<p>Ben, a couple of thoughts.</p>
<p>Video is forgeable, just like anything else. If you want to make this ever so slightly more difficult to forge, you want to include some elements in the video which would be hard to replicate unless you were there at the time.</p>
<p>Some examples:</p>
<p>People who take photos of mushrooms that they find in the forest often put in the frame of the picture of the current day&#39;s newspaper. That proves that they didn&#39;t get them earlier than that date. There may be other digital timestamping techniques that you can use that are equally obvious. (Of course, you can try to post-date something with this technique, but at least it provides a reference point that&#39;s tough to fake).</p>
<p>If you are sending someone a link to a video on Youtube, you&#39;re putting forth the opportunity for the sender to retroactively edit that video and replace it with something else. Consider sending the video as an attachment instead.</p>
<p>Utterances like this that are witnessed by someone else in real time, especially someone trustworthy, provide an added level of authenticity. What if instead of recording a monologue, you recorded a dialog with someone who was in some kind of notary role? The interaction could be via two way audio or video, capturing the recipient as well as the sender, and if there were any question you could refer back to the trusted third party to authenticate.</p>